Monday, May 20, 2013

Are Banks Required to Disclose the Indentity of their Customers to Copyright Holders?

FutureOfCopyright reports very interesting recent Dutch copyright case - BREIN v. ING (Case No. C/13/539327). Local anti-piracy group BREIN sued well known bank and insurance company, ING, for disclosure of identity and bank transfers of one of it's customers, who is a domain name holder of a website (largest Usenet community in the Netherlands with around 500,000 member) that was found to be infringing copyright by Dutch courts in 2011. From Google Translated version of the decision, I grasped that ING in fact provided partial information to BREIN out of the court upon it's request.

It is not entirely clear to me from the FOC article and Google Translated version of the decision, whether disclosure action was brought against ING as an injunction against innocent party or as an injunction against wrongdoer. The court (in Google Translate) discusses:

The claim of BREIN can be granted if it is sufficiently plausible that ING Bank acted unlawfully towards Brain. According Brein rests on ING Bank on the basis of social care standards the legal obligation to provide those who are authorized to possess the funds to the account of [F] and identifying data acts ING Bank unlawfully against her through despite a request not to do. In answering the question whether in this case there is wrongdoing, it comes in the opinion of the court entails a consideration of mutual interests.
ING Bank has hearing for hands rightly argued that it was not "instrumental" is in the commission of (alleged) copyright infringement by FTD World of facilitating this by FTD World. Brein has to support its claim rely on case law which hosting providers and / or internet service providers sentenced to providing responsible behind "pirate websites".'s Personal In the opinion of the judge ignores this brain that the role of an Internet service provider or hosting provider is substantially different from that of a bank like ING Bank. A "pirate site" can not exist without a provider. There is no question of illegality if the provider does not supply services. ING Bank provides "only" bank transactions, which is not as a sine qua non to have effect in relation to (possible) copyright infringement. The provision of services by ING Bank, is not necessary for copyright infringement (unlawful). This is also available as on the websites involved no account number is known. Execution of a payment is not required to use the services offered on the websites of FTD World. Use The alleged unlawful activities take place entirely outside the purview of ING Bank and outside its sphere of influence. ING Bank is not in a position - and they do not have the expertise to have - to become an informed assessment (to) assess the (un) lawfulness of "pirate websites". There is no relationship between ING Bank and copyright infringement, while there is a relationship between an internet service provider or hosting provider and copyright infringement.

This would suggest that action was indeed brought as an injunction against wrongdoer, although to be frank, it makes only little sense to me. It would make more sense if the bank would be sued for disclosure as an innocent 'intermediary' aka UK Norwich-Pharma order [1974]. The action that one would expect in Member States national law as an implementation of either Art. 8(3) of the Information Society Directive, or Art. 8(1) of the Enforcement Directive that reads:

Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who:
..

(c) was found to be providing on a commercial scale services used in infringing activities;
But this is not why I find the case so interesting to report (although the balancing exercise is of course very interesting). Recently, in my Dallas working paper on 'innocent parties injunctions' (in second updated version), I ask how can we justify such injunctions in cases, where tort law remedies did not fail, i.e. where they have not been exhausted. I ask this both in the context of costs shifting, but also in the context of abusive exercise of such claims (like this one).

This is why it is relevant here. FOC reports that

[..] the Court ruled that the ING is not required to hand over the requested information since such a court ruling can only be deployed as a last remedy. BREIN had not yet depleted all other possible options to cease FTD World’s business and, besides, banks have a specific and legitimate interest to secure its account holders’ privacy and trust. [..] In the judgment, the Court questions whether BREIN has taken sufficient measures to trace the domain name holder and the Russian hosting provider. Also, BREIN has not yet reported FTD World’s acts to enforcement authorities.

If the case was actually brought as an action against innocent party, it might have an interesting line of argument, which basically says following. Injunction against innocent party is acceptable even if it deals with such sensitive data as bank data, but first, the tort law remedies have to be exhausted to justify such action. The argument basically proposes subsidiarity between the two types of claims with priority of tortious claims. Needless to say, that right holders do not really like this idea of subsidiarity of claims, and advocated strongly against it for instance during the debate on amendment of the Enforcement directive: 

The availability of an injunction against intermediaries should not depend on whether the infringer has or has not been identified; nor should the availability of such an injunction be made subject to an obligation for the rights-holder to sue the actual infringer (no rule of subsidiarity).
Exhaustion requirement could help to solve some abuses of injunctions against innocent parties and would, to some extend, solve also problem of costs, but it is still very limited solution to much bigger problem (see my concluding remarks in the mentioned paper).

BREIN announced to appeal the case.


Comment and clarifications from Dutch colleagues in comments or via email are much appreciated.

Update 22/05/2013: a very kind reader, William Bird from Patentive, provides some rough translation of the judgment.

Brein submits - in summary - that FTD World is unmistakably guilty of committing on-going copyright infringement or to facilitate it. Brein therefore has a compelling interest in order to find out who the leaders are behind FTD World. Under Articles 31 and 31a of the Copyright Act, the activities of FTD World as a criminal offense must be considered, moreover, in this case, also the application of the sanction under Article 31b Aw. The business model of FTD World means that it receives payments from advertisers and users of the websites of FTD World. ING Bank facilitates these payments. In practice, it is almost impossible to trace those responsible. Behind FTD World the domain name holder of FTD World ([E]) is a non-existing person. There was no response to a summons to his / her address. The Russian hosting provider has not responded to a summons of Brein. The Dutch intermediary involved in the registration of the domain name of FTD World has no more information than is already known to Brein. One can assume that [F] is not responsible for the websites of World FTD, she is very old and lives in Suriname in an unknown place. It is possible that she is a 'strawman'. The person currently in the former home of [F] is not doing anything with World of FTD. Brein has therefore done everything to find out the identity of those responsible behind FTD World. Today the only clue is the account at ING Bank. ING Bank, according to its letter of 7 March 2013 is only prepared to meet part of the request for information by Brein. ING Bank has advised that there is a proxy, but the data in its letter provides not lead to the identity of those authorized. In the opinion of Brain ING Bank should also provide such data. The necessary conditions (see for example the judgment of the Supreme Court of 25 November 2005 in the case Lycos / Pessers) are met in this case [in this case, the Dutch Supreme Court said that 'the request to reveal the identity of the holder of the website should be judged independently of the ISP’s liability based on the E-commerce Directive. Refusal to reveal the identity of the holder of a website might, in certain circumstances, constitute an unlawful act.', note by Hutko]. FTD World develops manifestly unlawful activities, it is beyond reasonable doubt that the representative of [F] is responsible, the affiliates of Brein will suffer significant damage and Brein has no other (practical) ability to identify those responsible. The claim of Brain is limited and is sufficiently specific and proportionate. The privacy interests of [F] should therefore be waived for the interests of the members of Brein.


4. The opinion of the court

4.1. The claim of Brein can be granted if it is sufficiently plausible that ING Bank acted unlawfully towards Brein. According to Brein, ING Bank has the legal obligation to provide the names of those who are authorized to access the funds from the account of [F] and identifying data on the basis of social care standards and that ING Bank acts unlawfully against her despite a request not to do so. As answer to the question whether there is wrongdoing in this case, in the opinion of the court is that this entails a consideration of mutual interests. ING Bank would have to give up the privacy interests of its customers. The importance for Brein lies in the fact that it should take action against copyright infringement on behalf of its member owners. In this balancing of interests, all relevant circumstances of the case are involved.

4.2. Both parties have referred to the Data Protection Act (DPA), in particular Article 8 paragraph f of that law. ING Bank has also referred to the Conduct in Processing of Personal Information by Financial Institutions which is derived from the DPA. It is true that the purpose of the collection of personal data by a bank like ING Bank is not in the investigation of criminal and/or unlawful activities. In answering the question whether ING Bank may be made to provide information under the Data Protection Act and / or the Code of Conduct this broadly relates to the same interests as mentioned under

4.1. In this context, the legitimate interest in the disclosure of certain information has to be weighed against the privacy interest.

4.3. ING Bank has in the hearing rightly argued that it was not "instrumental" in the (alleged) copyright infringement by FTD World or of facilitating this by FTD World. Brein has to rely in its claim on case law concerning hosting providers and / or internet service providers that were ordered to provide information on those responsible behind "pirate websites”. In the opinion of the judge Brein misjudges the role of an Internet service provider or hosting provider which is substantially different from that of a bank like ING Bank. A "pirate site" cannot exist without a provider. There is no question of illegality if the provider does not supply services. ING Bank provides "only" bank transactions, which is not to have effect sine qua non in relation to (possible) copyright infringement [I find this argument to be very little convincing, some ISPs certainly have very similar position to a bank, note by Hutko]. The provision of services by ING Bank, is not necessary for copyright infringement (for it to be unlawful). This also occurs on the websites where no account number is known. Execution of a payment is not required to use the services offered on the websites of FTD World. The alleged unlawful activities take place entirely outside the purview of ING Bank and outside its sphere of influence. ING Bank is not in a position - and they do not have the expertise - to get an informed assessment to assess the (un) lawfulness of "pirate websites". There is no relationship between ING Bank and copyright infringement, while there is a relationship between an internet service provider or hosting provider and copyright infringement.

4.4. Furthermore, ING Bank rightly argued that the (legal) possibilities of Brein to identify those responsible behind FTD World have not (yet) been exhausted. One can put in question the effectiveness of the efforts of Brein to trace the domain name owner  and / or trace the Russian hosting provider. Moreover, [F] has not been contacted or legally called upon to provide the personal details of the proxy let alone has any attempt been made to trace her. Brein assumes that [F] has nothing to do with FTD World, but this assumption is based on nothing else than on general knowledge about the "profile" of those responsible for "pirate websites".

4.5. The criminal law is not closed to Brein. Brein did not file any claim, although it considers the case involves criminal offenses. While it is true that the Intellectual Property fraud is based on the principle of civil enforcement, the fact remains that the public prosecutor is the person who may ask a third party to provide certain information to him in the context of a criminal investigation. If Brein want access to personal data, they should report a crime, in order to get the public prosecutor to provide that information. Note that Intellectual Property Fraud does not make such a request impossible.

4.6. Finally, ING Bank has rightly relied on the special position that banks have in legal and financial transactions. There is a strong emphasis on the trust that clients should be able to enjoy in their banks. This confidence must keep in mind that customers' personal data may only be communicated to third parties in very exceptional circumstances. If the data is to be provided then these should be "in safe hands" with such third parties. That Brein, as she stated in the hearing, has a legitimate statement of the Data Protection Authority, does not necessarily lead to the conclusion that it will not provide the data to others.

4.7. Based on the above considerations, the judge considers that the interests of ING Bank in this case outweigh those of Brein. For the time being ING Bank therefore is not acting unlawfully by refusing to (further) to provide data. This leads to the denial of the requested provision by Brein.

4.8. The reference to the judgment of the District Court of The Hague December 6, 2011 in the case Brain/Techno Design does not cast a different light on this matter. In that judgment is first mentioned that Techno Design made a limited defense. Techno Design is also not a bank, but a so-called payment provider. She offers an online payment service that allows visitors to a website to execute payments to the operator of a website, without the visitor obtaining information about the administrator of the site. In this way it allows administrators of websites - including operators of websites through which copyright infringement may be committed - to remain anonymous while knowingly aware of the issue. Unlike the present case in which Brein can figure out who the trustee of the account through [F], in the Brain / Techno Design case, Brain could only find out who committed the unlawful act from Techno Design. For this reason, the balance of interests differs materially.

Although the reasoning little bit blurs whether this was a case against an innocent party, referring to other cases, such as Lycos v. Pessers, indicates that this might be the case. I understand the outcome, but at the same time I have to say that courts reasoning is not entirely convincing in a part where it draws distinctions to other Internet service providers. It literally seems as if the court was surprised that a far reaching interpretation given in the context of Internet providers, shall be applied outside of the Internet world. Needless to say, I am not surprised.

Update 2 [16/6/13]: It seems that this summer, German Federal Supreme Court (BGH) will deal with the question in the title as well in Davidoff [trade mark] case (Az. I ZR 51/12). First instance court granted the claim for information against the bank (LG Magdeburg – Urteil vom 28. September 2011 – 7 O 545/11, ZD 2012, 39), but the second instance rejected it (OLG Naumburg – Urteil vom 15. März 2012 – 9 U 208/11, GRUR-RR 2012, 388). Now it's up to BGH to decide.

No comments: